Hello, my name is Thomas Cope and I currently work as the Chief Security Officer at Qush Security. I manage the end to end Security of our Enterprise DLP product (from design, threat model, SDLC, release and support) alongside managing the PSIRT & Product Security teams and our ISO 27001 certification. Before joining Qush I worked for eight years as a Cloud Cyber Security Architect at IBM while studying part-time at Oxford University for a Master’s Degree in Software and Systems Security.
I am an experienced Security Architect and Systems Engineer with a passion for designing, building and maintaining secure systems, processes and teams. I have strong experience in both Cloud and containerized (Docker / Kubernetes) platforms while working in DevSecOps environments. I enjoy programming and electronics in my spare time - you can learn more in the “Projects” sections below. I have a keen interest in Security and Cryptography. I enjoy designing and building secure systems / software as well as performing security research on pre-existing systems / software. I am CISSP Certified as well as a Redhat Linux System Engineer. I use these skills extensively at work and for the support of this server which is used to host both myself, and a friend’s projects (Server Status).
In my spare time, I am a STEM Ambassador and an Associational (MBCS) Member of the British Computer Society. I play games such as TF2, Counter-Strike, Valorant, Minecraft. Avid runner and enjoy good game of Badminton. Also enjoy Skiing when I get the chance. Feel free to drop me a line either on my Linkedin or GitHub or Youtube. Plus I use GPG if you want to send me encrypted Mail (PubKey).
Some of my ramblings:
Abstract I presented my talk “From Zero to SSRF to RCE and back again” to the Newcastle University Competitive Computer Science Society, in the talk I explain “Ethical Hacking Journey…
(Posted on 21 May 2022 · 1 min read)
During some security research I discovered a method in which the local user account restricted in the HMC shell could be uses to escalate privilege to root access. The post…
(Posted on 19 July 2021 · 9 mins read)
The Issue I was able to acquire a second hand IBM System x3650 M4 BD (5466). I wanted to replace the ServeRAID card with a “ServeRAID M1015 LSI 9220-8i 6GB…
(Posted on 28 January 2021 · 2 mins read)
During some personal security research I discovered a SSRF vulnerability in IBM Datapower which could then be upgraded to RCE. The practical upshot of which is with an authenticated session…
(Posted on 21 October 2020 · 3 mins read)
I had quite a few issues getting Riot Games new first person shooter Valorant running on my laptop. This is a brief post to cover some of the techniques I…
(Posted on 17 July 2020 · 6 mins read)
I took place in NahamCon CTF. It was a two day event but I was only able to make it for the last 1/2 of the last day. I scored…
(Posted on 13 June 2020 · 6 mins read)
During some work on a project I came across some strange behaviour on how docker handles setuid & setgid. In Linux the setuid and setgid C calls are used to…
(Posted on 20 February 2020 · 8 mins read)
In this post I would like to highlight a really old flaw with the encryption used by the zip file format. This is a known text attack based on the…
(Posted on 05 December 2019 · 4 mins read)
A while ago I had to work with a particularly frustrating application that was required to connect to a hardware appliance. Both of which will remain unnamed in this post….
(Posted on 15 November 2019 · 5 mins read)
The Oxford Competitive Computer Society hosted a Capture the Flag event which was great fun, I ranked third on the scoreboard. Below are my favorite challenges with a video of…
(Posted on 09 June 2019 · 1 min read)
A selection of my favorite projects:
This is a demonstration of a proof of concept I built to tunnel ssh traffic over web-sockets using the same system Google uses (Zero Trust) to secure SSH access. It used JWT, mTLS and OAuth. I build both a client and server application to achieve this.
I reversed engineered and created a practical demo of the the CVE-2019-6111 + CVE-2019-6110 vulnerabilities
I attended Oxford University for a MSc in Software and Systems Security. This page details the 3 software and 7 security modules I attended along with a explanation of my dissertation.
I would not describe myself as a photographer or the kind of chap to have an instagram, but I do enjoy taking photos, so I thought I’d put a few of my faves on here.
A REST API Game where the objective is to have the most beans by the end of the day
Using the Bash Bunny from Hak5 I build payload that can determin the Host OS using p0f and then deliver the required payload
This is a demo of a new pastejacking attack using bash and command link tricks to fool the user into executing malicious code.
A custom made Arduino library to query a Minecraft server using the bespoke UDP query API.
A Arduino door lock using a Fingerprint scanner and a 7 inch touch screen.
A really simple terminal screen saver written in Golang using the tput library.
A companion application to the TSTP, that allows for openCV videos to be saved and then played back.
I recreated the functionality of a hardware encrypted memory stick (such as ‘IronKey’ or ‘Datashur’) using the Arduino micro-controller and a SD card shield.
This is the 3rd incarnation on my Sentry Tracking program. Using opencv and C++, this project dynamically scans a webcam or video feed and tracks one or more targets
One of the largest program I’ve written. A simple space shooter written in C++ using OpenGL and a custom made game engine.
A Arduino based GPS and GRSM Tracking System using a custom built library for the Maplin GSMShield. The Arduino acquires a GPS lock, reads the value and sends the data encrypted via UDP to a collection server.
A fun game to play while on a Conference Call.
A Really simple gateway script to be used on a IBM Datapower to convert XML to JSON using built in Datapower functions.
I primarily write GO / Golang day to day and shell scripting. I have experience with the below languages: